WO 02/097620 A2 111 llllllllllllll II III III ill II II III llllllll 



(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 

International Bureau 

(43) International Publication Date 
5 December 2002 (05.12.2002) 




PCT 



iiiiiiiii urn 



(10) International Publication Number 

WO 02/097620 A2 



(51) International Patent Classification 7 : G06F 9/445 

(21) International Application Number: PCT/US02/ 16485 

(22) International Filing Date: 23 May 2002 (23.05.2002) 

(25) Filing Language: English 

(26) Publication Language: English 

(30) Priority Data: 

09/872,418 31 May 2001 (31.05.2001) US 

(71) Applicant: QUALCOMM INCORPORATED [US/US]; 
5775 Morhouse Drive, San Diego, CA 92121-1714 (US). 

(72) Inventors: LUNDBLADE, Laurence; 3062 Navgatuck, 
San Diego, CA 92117 (US). PHILLIPS, Marc, S.; 
4008 Gros Venire Avenue, San Diego, CA 92117 (US). 
MINEAR, Brian; 13704 Fontanelle Place, San Diego, 
CA 92128 (US). ZHUANG, Yan; 8223 Jade Coast Road, 
No. 120, San Diego, CA 92126 (AU). KRISHNAN, 
Anand; 13775 Sorbonne Court, San Diego, CA 92128 
(US). SPRIGG, Stephen, A.; 12124 Travertine Court, 
Poway, CA 92064 (US). CHMAYTELLI, Mazen; 1752 



Linwood Street #G, San Diego, CA 921 10 (US). OLIVER, 
Mitchell; 9737 Caminito Suelto, San Diego, CA 92131 
(US). HOREL, Gerald; 6500 Torin Road, Brentwood 
Bay, British Columbia V8M2H5 (CA). CROSSLAND, 
Karen; 5044 Maynard Street, San Diego, CA 92122 (US). 

(74) Agents: WADSWORTH, Philip, R. ct al.; Qualcomm In- 
corporated, 5775 Morehouse Drive, San Diego, CA 92121- 
1714 (US). 

(81) Designated States (national): AH, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, 
CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH, 
GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NO, NZ, OM, P1I, PL, FT, RO, RU, SD, SE, SG, 
SI, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ, 
VN, YU, ZA, ZM, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European patent (AT, BE, CH, CY. DE, DK. ES, FI, FR, 
GB, GR, IE, IT, LU, MC, NL, PT, SE, TR), OAPI patent 
(BF, BJ, CF, CG, Cl, CM, GA, GN, GQ, GW, ML, MR, 
NE, SN, TD, TG). 

[Continued on next page] 



(54) Title: SAFE APPLICATION DISTRIBUTION AND EXECUTION IN A WIRELESS ENVIRONMENT 




(57) Abstract: The present invention provides safe and 
secure application distribution and execution by provid- 
ing systems and methods that test an application to ensure 
that it satisfies predetermined criteria associated with the 
environment in which it will execute. Furthermore, by 
using rules and permission lists, application removal, and 
a modification detection technique, such as digital signa- 
tures, the present invention provides mechanisms to safely 
distribute and execute tested, or untested, applications by 
determining whether the application has been modified, 
determining if it has permission to execute in a given wire- 
less device environment, and removing the application. 










WO 02/097620 A2 11 III II lllllllllll III I II llllllllllllllllllllllll 

Published: For two-letter codes and other abbreviations , refer to the "Guia- 

without international search report and to be republished ance Notes on Codes and Abbreviations" appearing at the begin- 
upon receipt of that report ning of each regular issue of the PCT Gazette. 





WO 02/097620 



PCT/US02/16485 



[ 0001 ] 



[ 0002 ] 



[ 0003 ] 



[ 0004 ] 



1 

SAFE APPLICATION DISTRIBUTION 
AND EXECUTION IN A WIRELESS ENVIRONMENT 

Field of the Invention 

The present invention relates to processing of applications for use in a wireless 
device, and more particularly, to increasing the security, safety and integrity of 
applications executed on a wireless device. 

Background 

Wireless communication has experienced explosive growth in recent years. 

As consumers and businesses rely more on their wireless devices, such as mobile 
phones and personal digital assistants (PDAs), wireless service providers, i.e., 
carriers, strive to provide additional functionality on these wireless devices. This 
additional functionality would not only increase the demand for wireless devices but 
also increase the usage among current users. Increasing functionality, specifically by 
increasing the applications accessible by the wireless device, however, is costly and 
complicated thereby discouraging carriers from providing this functionality. 

Furthermore, there is little to no assurance that an application, once placed on 
a wireless device, will execute properly. Currently, reliance on the application’s 
ability to execute on a wireless device rest on the developer, the wireless device 
maker and/or the carrier. As more applications are developed and the number of 
applications on a wireless device increases, the wireless device environment becomes 
more dynamic. For example, a wireless device may choose to retrieve or execute a 
number of different applications from large pool of available applications at any given 
time. Thus, ensuring that any given application will be distributed to the wireless 
device and execute safely becomes much more difficult to control. 

This is of particular concern because improper execution of an application 
may not only detrimentally affect the wireless device, but it may also be harmful to 
the carrier network and other network components, including other wireless devices. 
For example, one application, if not restricted, could take control of a wireless 
device’s power control and cause interference among other wireless devices and 
decrease the overall capacity in the cell servicing the wireless device. 
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Currently, neither wireless device manufacturers nor carriers are equipped to 
support the testing and safe distribution of applications in a dynamic application 
distribution and execution environment. Thus, there is a concern that applications 
will be distributed and executed on wireless devices that may cause harm to the 
wireless device, carrier network, or other network components. 

In addition, other safety issues arise as more applications are developed and 
the environment by which applications are transmitted to a wireless device becomes 
more dynamic. As the number of applications and the number of developers creating 
these applications increases, the desire to know the source of any given application, 
i.e., the developer, also increases. A carrier or a handset manufacturer will want to 
know, with some degree of reliability, that they can determine the source of an 
application should the application cause harm. 

Consequently, what is needed in the art is a system and method for providing a 
more safe environment for the distribution and execution of applications on a wireless 
device. 



SUMMARY OF THE INVENTION 

Systems and methods consistent with the present invention overcome the 
shortcomings of existing systems by creating a safer environment for application 
distribution and execution that test applications with predetermined standards, provide 
traceability to the developer for nonrepudiation, check for unintended modifications 
to the application, allow the removal of the application from the wireless device, 
and/or use rules and permissions that define the environment on which an application 
may execute. 

Certifying that an application meets predetermined standards provides the 
advantage of catching possible errors that could occur during execution ahead of time. 
This helps to prevent the detrimental effect of an application’s execution. 

Traceability provides the advantage of non-repudiation. If there is any 
problem with the application, it is beneficial to trace back to the source of the 
application, i.e., the developer, to correct the problem. In addition, having traceability 
discourages developers from creating applications that have harmful results, either 
whether intended or unintended. 
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Furthermore, the ability to determine if an application is modified prior to 
receiving it at the wireless device provides the advantage of increased safety by 
ensuring that the application received is the same one that was transmitted. As 
applications are distributed more freely in the wireless environment, the ability to 
determine if an application was modified increases the confidence that an application 
received by the wireless device was not modified, either accidentally or intentionally. 

Providing a set of rules and permissions that define when applications may 
execute also increases the safety of an application distribution and execution system 
by preventing the unauthorized execution of an application on platforms, e.g., systems 
or environments in which it is not authorized. 

The ability to remove applications from a wireless device also increases the 
safety of an application distribution system. If an application is installed on a handset, 
either by the manufacturer or through an application download, having a mechanism 
to remove the application because of unforeseen negative consequences increases the 
safety of an application distribution and execution system by removing harmful and 
undesirable code that could be detrimental. 

Systems and methods consistent with the present invention may invoke one or 
more of the techniques disclosed herein. By invoking all of the techniques disclosed 
and referenced herein, however, systems and methods consistent with the present 
invention provide for high quality and safe distribution and execution of applications. 

In one embodiment of the present invention, a method for distributing and 
processing an application, comprises the steps of receiving the application and 
identification information, certifying the application satisfies a predetermined 
criterion, assigning a permission to the application, transmitting the application, the 
permission and the identification information to the a device using a modification 
detection technique, determining whether the application was modified during 
transmission, storing a rule on the device, determining if the application may be 
process using the permission and the rule, and removing the application from the 
device. 

In another embodiment of the present invention, a method for executing an 
application on a wireless device, comprises the steps of storing a rule to evaluate a 
permission, receiving information comprising the application, the permission and an 
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identification using a modification detection technique, receiving a request to execute 
the application on the wireless device, evaluating the received information to 
determine if the received information was modified, in the event the received 
information was not modified, evaluating the permission associated with the 
application, and in the event the permission is granted, executing the application. 

In yet another embodiment of the present invention, a method for executing an 
application on a wireless device comprises the steps of storing a rule to evaluate a 
permission, receiving information comprising the application, the permission and an 
identification using a modification detection technique, receiving a request to execute 
the application on the wireless device, evaluating the received information to 
determine if the received information was modified, in the event the received 
information was not modified, evaluating the permission associated with the 
application, and in the event the permission is granted, executing the application. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings, which are incorporated in and constitute a part 
of the specification, illustrate presently preferred embodiments of the invention and, 
together with the general description given above and the detailed description of the 
preferred embodiments given below, serve to explain the principles of the invention. 
In the drawings: 

Figure 1 is a flowchart depicting the high-level process of safe application 
distribution and execution in an exemplary embodiment of the present invention; 

Figure 2 is a block diagram depicting a system architecture in which an 
exemplary embodiment of the present invention may be practice; 

Figure 3 is a block diagram depicting a wireless network architecture in which 
a safe application distribution processing system may be practiced in an exemplary 
embodiment of the present invention; 

Figure 4 is a block diagram depicting a wireless device and some internal 
components in an exemplary embodiment of the present invention; 




WO 02/097620 



PCT/U S02/16485 



[0023] 

[0024] 

[0025] 

[0026] 

[0027] 



[ 0028 ] 



5 

Figure 5 is a block diagram depicting information used to create a digital 
signature and transmitted to a wireless device in an exemplary embodiment of the 
present invention; 

Figure 6 is a flowchart depicting the steps used to by a server or severs in 
distributing an application in an exemplary embodiment of the present invention; and 

Figure 7 is a flowchart depicting the steps used by a wireless device when 
executing an application in an exemplary embodiment of the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

Reference will now be made in detail to the exemplary and preferred 
embodiments of the invention as illustrated in the accompanying drawings, in which 
like reference characters designate like or corresponding parts throughout the several 
drawings. The nature, objectives and advantages of the present invention will become 
more apparent to those skilled in the art after considering the following detailed 
description in connection with the accompanying drawings. 

The present invention provides safe and secure application distribution and 
execution by providing systems and methods that test an application to ensure that it 
satisfies the predetermined criteria associated with the environment in which it will 
execute. Furthermore, by using rules and permission lists, application removal, and a 
modification detection technique, such as digital signatures, the present invention 
provides mechanisms to safely distribute and execute a tested, or untested, application 
by determining whether the application has been modified, determining if it has 
permission to execute in a given wireless device environment, and removing the 
application should it be desirable to do so. 

It will be recognized to those skilled in the art that the forgoing describes an 
application file type being distributed and executed for simplicity of description. An 
“application” may also include files having executable content, such as: object code, 
scripts, java file, a bookmark file (or PQA files), WML scripts, byte code, and perl 
scripts. In addition, an “application” referred to herein, may also include files that are 
not executable in nature, such as documents that may need to be opened or other data 
files that need to be accessed. 
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Figure 1 is a flowchart depicting the high level pi~ocess of safe application 
distribution and execution in a manner consistent with an exemplary embodiment of 
the present invention. An embodiment of the present invention enables a developer 
identification to be associated with the application, performs testing on the application 
for the environment where the application is intended to execute, assigns permissions 
that can be used to dictate which devices or systems may execute the application, and 
provides for application removal should an application perform illegal or undesirable 
actions. 

It is preferable that systems and methods employ all these techniques to 
increase the safe distribution and execution of an application. It will be recognized, 
however, that even employing one or more of these techniques will increase the safe 
distribution and execution of an application. 

The high level process begins by associating the developer identification with 
an application (Step 100). This process may be performed by binding the developer 
identification with the application as it is distributed. Alternatively, the associated 
developer identification may be stored along with the corresponding application on a 
server in the system. It is also preferable that the developer identification information 
be stored and associated with the application information so that it cannot be easily 
modified. 

The application is then tested for improper operation (Step 105). The 
application may be used in an environment where improper operation may not only 
affect the device on which the application is running, but also those other devices that 
are connected or networked with that device. It is preferable to test the application so 
that it does not make improper system calls or negatively affect the device or other 
connected devices during its operation. In one embodiment, this testing is performed 
by a certification process where the application is tested to determine if it meets 
predetermined criteria. It is preferable also, to have a certification process 
independent of the developer, to test the application. The independence of the 
certification process encourages more accurate and reliable testing. 

Prior to executing the application, the application is checked to determine if it 
is “allowed” to execute on the device (Step 1 10). This check may be performed by 
the use of permissions and rules, described below, or by other permission mechanisms 
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known to those skilled in the ait. Furthermore, it is preferable that the application be 
checked prior to every attempt to execute the application. This persistent checking 
process increases the safety of executing the application. For example, it guards 
against an application having a Trojan horse that may have been inserted into that 
application on the executing device via another application. 

An application that performs an improper or undesirable operation is then 
removed from the device (Step 115). This prevents the application from doing any 
further damage and also frees up the memory in the device for other uses. 
Alternatively, the application does not need to be removed from the application. 
Removing an application may refer to the disabling of the application and leaving the 
application on the device. 

Figure 2 depicts a system architecture in which an exemplary embodiment of 
the present invention may be practiced. A developer 200 creates an application for 
use on the wireless device 230. As described above, it will be recognized by those 
skilled in the art that, while the foregoing description includes an application file type, 
other file types may be used. Furthermore, it will be recognized by those skilled in 
the art that the present invention may be used with other wireless or non-wireless 
devices and may employ wireless networks, non-wireless networks, or a combination 
thereof. 

Typically, the developer 200 will have a set of development specifications for 
which to develop the application to execute on the wireless device 230. In one 
embodiment, the wireless device includes a software platform to assist the 
application’s interface with the wireless device, such as the BREW™ software 
developed by QUALCOMM, Incorporated, headquartered in San Diego, California. 
The developer may create the application satisfying the software platform, or 
BREW™ software, specification standards, and conventions. 

The developer 200 is connected to a central server 205, in one embodiment, so 
that it may electronically transmit the application to the central server 205. In one 
embodiment, the central server is an Application Control Center Headquarters 
(ACCHQ) server used in the distribution of applications to wireless devices. The 
developer 200 may digitally sign the application (discussed further below) to 
determine if the application was modified. It will be recognized that a physical 
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connection to the central server is not necessary. For example the developer 200 may 
send, such as via first class mail, the application to the central server 205 stored on a 
CD-ROM. 

In addition, the developer sends various source identification information to 
the central server 205. This source identification information may include any type of 
information that may be associated with the application that identifies the developer, 
such as a company name, tax identification of the company, or other identifying 
information. 

The central server 205, either by itself or using a certification server 210, is 
used in the analysis and certification of applications. In one embodiment, an 
Application Control Center (ACC) may be used as a certification server. The 
certification server 210 may be used to analyze the application to determine whether 
the application satisfies predetermined certification criteria. This criteria may include 
whether the application satisfied the development specification for execution on a 
wireless device or platform. The certification criteria, however, can be any criteria 
that an application must satisfy prior to execution on a wireless device or platform. 
Such criteria may include verifying: (a) that the application functions as claimed by 
the developer, so that the application does not harm the wireless device’s operation 
(e.g., it does not crash the phone); (b) that the application does not access data or 
memory that it should not (e.g., it doesn’t access data or files owned by other 
applications, the operating system or platform software); and (c) that it does not 
negatively impact the wireless devices resources, such as detrimentally monopolizing 
the input and output of the wireless device. 

The central server 205 may also assign a set of permissions in a list associated 
with the application. This permission list is determined by various factors, including 
an analysis of whether the application passed the certification process, what networks 
220 the application is approved to execute on, and whether the wireless device 
supports the application. There may be many factors used to determine a permission 
list and is left to those skilled in the art when implementing the present invention. 

The central server 205 receives the developer identification information and 
correlates it with the application created by the developer 200. Should any problems 
exist with the application, the central server will be able to identify the source of the 
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application. In one embodiment, the developer information is passed to the wireless 
device 230 so that the correlation may be performed by the wireless device or other 
systems connected to the wireless device. 

In one embodiment, the central server is also connected to an application 
download server (ADS) 215. The application download server 215 is used to 
interface with a wireless device via a wireless network 220 to download an 
application. The central server may also send the permissions list and developer 
identification associated with the application to the ADS where it can be stored until 
transmission to a wireless device. It is preferred that the application, permission list 
and the developer identification be digitally signed by the central server to increase 
security from modification. 

It will be recognized by those skilled in the art that an ADS may be used to 
connect to multiple networks 220 for the distribution of applications, files and other 
information to the various wireless devices 230. Furthermore, wireless and non- 
wireless networks may be employed to transmit the application’s permission list and 
developer identification to the wireless device. 

In response to a request for an application, the ADS 215 will send the 
application, permission list, developer identification, and digital signature(s) to the 
wireless device 230 via the network 220. In one embodiment, the wireless device 230 
will contain a key to check the digital signature in order to determine if the 
application, permission list and/or developer information is modified. 

It is preferred, if digital signatures are employed in the present invention, that 
the central server use a secure key to create the digital signature and install a key on a 
wireless device to evaluate the digital signature. By using a secure key, the wireless 
device will have a higher degree of reliability that the digital signature was created by 
the central server and not an imposter. 

Should the application cause any errors on the wireless device, or for any other 
desired reason, the wireless device may initiate the removal of the application. 
Furthermore, an application may be removed from the wireless device based on a 
request from the ADS or central server. This request from the server may be initiated 
for any desired reason. For example, the server may initiate the removal of 
applications from a wireless device because the application performed improperly on 
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another device, a new version of the application is distributed, or even business 
reasons dictating that the application should be removed. This application removal 
process further protects the wireless device environment from repeated execution of 
corrupted and/or destructive applications. 

Figure 3 depicts a wireless network architecture in which an application 
distribution system may be practiced in an exemplary embodiment of the present 
invention. A central server 302 is an entity that certifies, either by itself or in 
combination with a certification server, the application programs as compatible with a 
defined set of programming standards or conventions. As described earlier, these 
programming standards may be established so that the application will execute on a 
software platform, such as the BREW™ platform. 

In one embodiment, the central server database 304 consists of a record of the 
identifications for each application program downloaded at any time onto each 
wireless device 330 in the network 300, an Electronic Service Number (“ESN”) for 
the individual who downloaded the application program, and a Mobile Identification 
Number (“MIN”) unique to the wireless device 330 carrying that application program. 
Alternatively, the central server database 304 contains records for each wireless 
device 330 in the network 300 of the wireless device model, wireless network carrier, 
the region where the wireless device 330 is used, and any other information useful to 
identify which wireless device 330 are carrying which application programs. In 
addition, the central server database may also store this developer identifying 
information associated with an application. 

In one embodiment, the central server 302 may also include a remove 
command source 322. The remove command source 322 is the person(s) or 
entity(ies) that may make the decision to remove one or more targeted application 
programs. The remove command source 322 also is the entity that constructs a 
remove command 316 (discussed below) that is broadcast to identified wireless 
device 330 carrying the targeted application program(s). Alternatively, and without 
limitation, the remove command source 322 may be one or more persons or entities 
involved with the development and issuance of the targeted application program, 
persons or entities involved with the manufacturing of the wireless device 330, and/or 
persons or entities involved with the function of any part of the network 300. 
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The central server 302 communicates with one or more computer servers 306, 
e.g., an ADS, over a network 308, such as the Internet, preferably secured. The 
servers 306 also communicate with a carrier network 310 via a network 308. The 
carrier network 310 communicates with the MSC 312 by both the Internet and Plain 
Ordinary Telephone System (POTS) (collectively identified in Figure 3 as 31 1). The 
Internet connection 311 between the carrier network 310 and the MSC 312 transfers 
data, and the POTS 31 1 transfers voice information. The MSC 312, in turn, is 
connected to multiple base stations (“BTS”) 314. The MSC 312 is connected to the 
BTS by both the Internet 311 (for data transfer) and POTS 311 (for voice 
information). The BTS 314 sends messages wirelessly to the wkeless devices 330 by 
short messaging service (“SMS”)? or any other over-the-air method. 

One example of a message sent by the BTS 3 14 in the present invention is a 
remove command 316. As further discussed herein, the wireless device 330, in 
response to receiving a remove command 316, responds by uninstalling a targeted 
application program stored on the wireless device 330. In one embodiment, the 
remove program may additionally or alternatively be programmed to disable the 
targeted application program or reprogram it to perform differently. The wireless 
device may also delete the application and any related information, such as a 
permission list. 

The remove command 316 is constructed by the remove command source 322 
(which may or may not be the same person(s) or entity(ies) that made the decision to 
initiate a remove of the targeted application program). The remove command 316 is 
sent by the remove command source 322 over the network 300 for broadcasting to the 
wireless devices 330. 

By using the remove command as described in the above embodiment, the 
safety of application distribution and execution is increased by providing a 
mechanism to uninstall corrupted or undesirable applications. It will be recognized 
by those skilled in the art that, while the preceding described a remove command 
initiated by the central server, the wireless device may also initiate the removal or 
uninstallation of the application and its related information. 




WO 02/097620 



PCT/U S02/16485 



[0054] 



[0055] 



[0056] 



[ 0057 ] 



12 

Similarly, the above network may be used to send the application, permission 
list and associated digital signatures from the central server to various servers 306 
(e.g., ADS’) through the MSC and BTS to the wireless devices 330. 

Figure 4 depicts a wireless device and some internal components in an 
exemplary embodiment of the present invention. While this embodiment is directed 
to a wireless device 400, it is used as an example without any intended limitation. 

The invention could alternatively be performed on any form of remote module 
capable of communicating through a network, including, without limitation, wireless 
and non-wireless devices, such as personal digital assistants (“PDAs”), wireless 
modems, PCMCIA cards, access terminals, personal computers, devices without a 
display or keypad, or any combination or sub-combination thereof. These examples 
of remote modules also may have a user interface, such as a keypad, visual display or 
sound display. 

The wireless device 400 shown in Figure 4 has an application-specific 
integrated circuit (“ASIC”) 415 installed at the time the wireless device 400 is 
manufactured. The ASIC is a hardware component that is driven by software 
included in the ASIC. An application programming interface (“API”) 410 is also 
installed in the wireless device 400 at the time of manufacture. In one embodiment, 
the API represents a BREW API or software platform. The API 410 is a software 
program configured to interact with the ASIC. The API 410 serves as an interface 
between the ASIC 415 hardware and application programs (discussed below) installed 
on the wireless device 400. Alternatively, the wireless device 400 may contain any 
other form of circuitry that would allow programs to be operated in a manner that is 
compatible with the hardware configuration of the wireless device 400. The wireless 
device 400 also has storage 405. The storage 405 consists of RAM and ROM, but, 
alternatively, could be any form of memory, such as EPROM, EEPROM or flash card 
inserts. 

The storage area 405 of the wireless device may be used to store received 
applications and permission lists 425. In addition, the storage area 405 may be used 
to store one or more “keys” 405. These keys can be applied to a digital signature 
using a signature algorithm to determine whether the signed information was 
modified. ♦ 




WO 02/097620 



PCT/U S02/16485 



[ 0058 ] 



[ 0059 ] 



[ 0060 ] 



[ 0061 ] 



[ 0062 ] 



13 

Rules 435 may also be installed on the wireless device 400. These rules may 
be used in conjunction with the permission list to determine if an application is 
allowed to execute. For example, a rule may state that an application is allowed to 
execute if a certification flag is set in the permission list (i.e., indicating the 
application passed certification). The permission list will have the certification flag 
set or not, depending on whether it passed certification. By applying the rule to the 
information contained in the permission list, permission to execute the application is 
either granted or denied. 

The manufacturer (not shown) of the wireless device 400 may download 
application programs onto the storage 405 of the wireless device 400 at the time the 
wireless device 400 is manufactured. These application programs may be any 
program potentially useful or entertaining to the user of the wireless device, such as 
games, book, or any other type of data or software programs. The application 
programs also may be downloaded onto the wireless device 400 over the air after the 
wireless device is manufactured. 

The remove program, when executed by the wireless device 400, uninstalls 
one or more targeted application programs from one of the applications stored on the 
wireless device 400. The targeted application program is an application program that 
needs to be uninstalled from the wireless device 400 for various reasons discussed 
below. 

The wireless device 400 has a local database 420 installed by the 
manufacturer. The API of the wireless device is programmed to automatically update 
the local database 420 with a record of identifying information about each of the 
application programs stored on the wireless device 400. The local database 420 
contains a record of the signature identifications unique to each application program 
stored on the wireless device 402. Additionally, the local database 420 may contain a 
record of the location of the application programs within the storage 405 on the 
wireless device 400 and any other information useful for keeping track of which 
application programs are downloaded on the wireless device 400, and where they are 
located. 

Figure 5 is a block diagram depicting information used to create a digital 
signature and transmitted to a wireless device in an exemplary embodiment of the ' 
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present invention. As is known by those skilled in the art, digital signatures may be 
used to track whether a digital file has been modified. As described, digital signatures 
can be applied to any digital file, including documents, applications, databases, etc. 

In general, a digital signature is created by applying a key to a file using a signature 
algorithm. This digital signature is created using the information contained in the file. 
Typically, the digital signature is sent along with the file to a recipient. The recipient 
of the file and digital signature can then apply a key to the received file and digital 
signature to determine if the file has been modified during the transmission to the 
recipient. 

Keys used to create and evaluate a digital signature can be used to determine 
the identity of the signer. For example, a key may be generated to create a digital 
signature by an entity and kept securely. This entity can distribute a corresponding 
key that can be used to evaluate the digital signature. If the key is kept securely and 
not compromised, the recipient evaluating the digital signature can determine not only 
whether the information was modified, but also the identity of the signer. 

Alternatively, third-party entities can create keys for specific entities in a 
secure fashion. Therefore, a recipient having a key associated with a specific identity 
will be able to determine if that entity was the signer. 

In one embodiment of the present invention, a digital signature 515 is 
generated by using the signer’s key 525, e.g., a key of the central server (see Figure 
2), the application 500, the permission list 505 and the developer identity information 
510 as input to a digital signature algorithm 530. The result is a digital signature 515 
that is dependent on the information contained in the inputs. 

After creating the digital signature 515, the application 500, permission list 
505, developer identity information 510 and digital signature 515 are transmitted to 
the wireless device 520. The wireless device can then use the digital signature to 
determine if any of the application or related information (i.e., the permission list and 
developer identity information) was modified. In addition, using one of the 
techniques described above, such as a secure key, the wireless device may also have 
confidence in the identity of the signer who transmitted this information to the 
wireless device. 
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Figure 6 is a flowchart depicting the steps used to by a server or servers in 
distributing an application in a manner consistent with an exemplary embodiment of 
the present invention. In this exemplary embodiment, the process begins by receiving 
an application and a digital signature (Step 600), The digital signature is information 
related to the application such that it can be determined if the application was 
modified prior to its reception. Furthermore, it is preferable that the key used to sign 
the digital signature be assigned by a third party in order validate that the entity or 
developer signing the application is the developer that received the assigned key. 

After receiving the application and digital signature, the digital signature is 
evaluated to determine if the develop who sent the application is the same as the one 
who signed the application (Step 605). If a third party assigned the key to the 
developer to create the digital signature, then the third party may also assign the key 
to evaluate the digital signature to the receiving party, such as to the central server 
described with respect to Figure 2. 

The identification of the developer, or whichever entity signed and/or created 
the application, is then stored and associated with the application (Step 610). The 
storage may be in a table, database or in some other manner such that it can be later 
retrieved in the event the identity of the developer needs to be determined. In one 
embodiment, the storage of the developer’s identification is stored in a wireless 
device and not in a server. 

The received application is then certified to determine if it meets specified 
criteria (Step 615). In one embodiment, an application may be written to execute on a 
specific platform, such as the BREW™ platform developed by QUALCOMM, 
Incorporated, headquartered in San Diego, California used in wireless devices. A 
specific platform, or device, may have specific requirements that an application must 
meet prior to having it executed on the device. For example, a platform or device 
may require that an application not access specific memory locations in the device so 
that the integrity of the device or other applications located in memory are not 
compromised. These criteria can be specified and the application can be tested to 
determine if these criteria are met. Preferably, these criteria are predetermined and 
provided to the developer to incorporate into the application’s development. 
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After certification, the permissions associated with the application for a given 
environment are assigned (Step 620). Permission may be assigned based on many 
factors, depending on the environment in which the present invention is implemented. 
In one embodiment, the applications are intended for a wireless device. In this 
embodiment, assigning permissions may depend on the carrier network, a wireless 
device’s requirements, results of certification testing, and developer, carrier or other 
testing environments, for example. Therefore, an example of a permission list is an 
indication that the application passed certification testing and that it may execute on a 
specific carrier’s network. 

The server then digitally signs the application, permission list, and developer 
identification (Step 625). In one embodiment, this signature is performed using a 
secure key so that the identity of the server can be determined by those receiving this 
digitally signed information. It is not required that the developer’s signature that was 
received by the server also be signed or that the developer’s signature be sent to the 
wireless device. 

The application, permission list, developer identification and the signature 
created in step 625 is then transmitted to a wireless device (Step 630). 

Figure 7 is a flowchart depicting the steps used by a wireless device when 
executing an application in a manner consistent with an exemplary embodiment of the 
present invention. In this embodiment, the wireless device stores rules to evaluate 
permissions associated with an application (Step 700). It will be recognized by those 
skilled in the art that, while the present invention describes a rules/peimissions 
paradigm, there are many paradigms that may be used to grant permission to an 
application for a specific device or platform and these are considered within the scope 
of the present invention. 

The wireless device then receives the application, permission list, developer 
identification and digital signature (Step 705). In one embodiment, the wireless 
device may evaluate the received digital signature to determine the identity of the 
signer. The digital signature may also be used to determine if the application, 
permission list or developer identification was modified after having been signed. 

The wireless device then receives a request to execute the application (Step 
710). This request may come from the user of the wireless device wanting to execute 
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a program. Alternatively, the request may be made by the wireless device itself or 
from some request transmitted to the wireless device, either through a network or 
direct connection to the wireless device. 

After receiving the request, the wireless device evaluates the digital signature 
and the permission list associated with the application prior to its execution (Step 
720). As described, the wireless device, in one embodiment, may use rules to 
evaluate the permissions list. If by evaluating the digital signature it is determined 
that the application, permission list or developer identification was not modified, then 
the wireless device evaluates the permission list using the stored rules. If there was 
no modification and the evaluation of the rules against the permission list indicates 
that the application is granted permission to execute in the wireless device, the 
processing proceeds to execute the application on the device (Step 730). 

If the evaluation in Step 720 indicates that either the application, permission 
list or developer identification was modified after being signed, or that the application 
is denied permission to execute on the wireless device, then the application is not 
executed (Step 725). Processing proceeds to remove the application from the wireless 
device (Step 750). It is also preferred that the permission list and developer 
identification also be removed from the wireless device. 

Following step 730, the application’s execution is monitored to determine if it 
performs an illegal or improper operation (Step 735). The wireless device or the 
platform the wireless device is using may define certain operations to be illegal or 
improper. These operations may include those that access restricted areas of memory 
or memory locations used by other programs or files. In addition, these operations 
may involve harmful uses of the wireless device’s resources such that they may not 
only affect the wireless device, but other devices on the network the wireless device is 
attached. 

If such an illegal or improper operation is attempted, then the application’s 
execution is stopped (Step 745) and removed from the wireless device (Step 750) 
along with, preferably, the developer identification and permission list. As stated 
above, alternatively, the remove process may involved the disabling of the 
application, thereby preventing its execution, and keeping the application on the 
wireless device. 
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If no illegal, improper, or undesirable operation is performed in step 735, then 
the application is allowed to continue execution (Step 740). 

CONCLUSION 

Using mechanisms to certify, detect modifications, determine source identity, 
assign permissions, and incorporate the ability to remove the application, systems and 
methods consistent with the present invention increase safe and secure application 
distribution and execution. Systems and methods may implement as few or all of 
these mechanisms. The more mechanisms implemented, the higher the degree of 
safety that is achieved. 

In one embodiment, a developer sends an application to a server. The 
developer may sign the application to protect against unauthorized modification. A 
server checks the identity of the developer, and performs certification testing on the 
application. The server also assigns permissions to the application, creating a 
permission list. The application, permission list, developer identification are digitally 
signed by the server and sent to a wireless device along with the digital signature. A 
wireless device checks the digital signature for modification and the permission list 
against stored rules prior to executing the application. In one embodiment, these 
checks are performed prior to each attempt to execute the application on the wireless 
device. If the checks indicate the application has been modified or denied permission 
to execute, the application does not execute and is removed from the wireless device. 
Furthermore, if during execution, the application attempts an illegal or improper 
operation, the application is terminated and then removed from the wireless device. 

The foregoing description of an implementation of the invention has been 
presented for purposes of illustration and description. It is not exhaustive and does 
not limit the invention to the precise form disclosed. Modifications and variations are 
possible in light of the above teachings or may be acquired from practicing of the 
invention. For example, the described implementation includes software but one 
embodiment of the present invention may be implemented as a combination of 
hardware and software or in hardware alone. The invention may be implemented with 
both object-oriented and non-object-oriented programming systems. Additionally, 
although aspects of the present invention are described as being stored in memory. 
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those skilled in the art will appreciate that these aspects can also be stored on other 
types of computer-readable media, such as secondary storage devices, like hard disks, 
floppy disks, or CD-ROM; a carrier wave from the Internet or other propagation 
medium; or other forms of RAM or ROM. The scope of the invention is defined by 
the claims and their equivalents. 



What is claimed is: 
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CLAIMS 



[cl] 1. A method for distributing and processing an application, comprising the steps 
of: 

receiving the application and identification information; 
certifying the application satisfies a predetermined criterion; 
assigning a permission to the application; 

transmitting the application, the permission and the identification information 
to the a device using a modification detection technique; 

determining whether the application was modified during transmission; 
storing a rule on the device; 

determining if the application may be process using the permission and the 
rule; and 

removing the application from the device. 

[c2] 2. The method of claim 1 further comprising the steps of: 

initiating the execution of the application on the device; 
monitoring the execution of the application; and 
detecting the application attempting to make an improper operation. 

[c3] 3. The method of claim 1, wherein the application is denied permission to be 

processed on the device. 

[c4] 4. The method of claim 1, wherein the identification information is retrieved by 

the device. 

[c5] 5. The method of claim 1 further comprising the step of detecting a modification 

in the application. 

[c6] 6. The method of claim 1 further comprising the step of detecting a modification 

in the permission. 
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[c7] 7. The method of claim 1, wherein the modification detection technique uses a 

digital signature. 

[c8] 8. A method for distributing and processing an application, comprising the steps 

of: 

receiving the application and identification information; 
certifying the application satisfies a predetermined criterion; 
assigning a permission to the application; 

transmitting the application, the permission and the identification information 
to the a wireless device; 

storing a rule on the device; and 

determining if the application may be processed on the device using the 
permission and the rule. 

[c9] 9. The method of claim 8 further comprising the steps of: 

initiating the execution of the application on the wireless device; 
monitoring the execution of the application; 

detecting the application attempting to make an improper operation; and 
removing the application from the wireless device. 

[clO] 10. The method of claim 8, wherein the application was denied permission to be 
processed on the wireless device and further comprising the step of removing the 
application from the device. 

[cl 1] 11. The method of claim 8, wherein the identification information is determined 

by the wireless device. 

[cl 2] 12. The method of claim 8, wherein a modification detection technique is used to 
transmit the application, the permission and the identification information. 

[cl3] 13. The method of claim 12, wherein the modification detection technique uses a 

digital signature. 
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14. The method of claim 12 further comprising the steps of: 

detecting a modification in the application transmitted to the device; and 
removing the application from the device, 

15. The method of claim 12 further comprising the steps of: 

detecting a modification in the permission transmitted to the device; and 
removing the application from the device. 

16. A method for distributing and processing an application, comprising the steps 
of: 

receiving the application and identification information; 
assigning a permission to the application; 

transmitting the application, the permission and the identification information 
to the a device using a modification detection technique; 

determining whether the application was modified during transmission; 
storing a rule on the device; 

determining if the application may be process using the permission and the 
rule; and 

removing the application from the device. 

17. The method of claim 16 further comprising the steps of: 
initiating the execution of the application on the wireless device; 
monitoring the execution of the application; 

detecting the application attempting to make an improper operation; and 
removing the application from the wireless device. 

18. The method of claim 16, wherein the application was denied permission to be 
processed on the wireless device and further comprising the step of removing the 
application from the device. 
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19. The method of claim 16, wherein the identification information is determined 
by the wireless device. 

20. The method of claim 16, wherein a modification detection technique is used to 
transmit the application, the permission and the identification information. 

21. The method of claim 20, wherein the modification detection technique uses a 
digital signature. 

22. The method of claim 20 further comprising the steps of: 

detecting a modification in the application transmitted to the device; and 
removing the application from the device; 

23. The method of claim 12 further comprising the steps of: 

detecting a modification in the permission transmitted to the device; and 
removing the application from the device. 

24. A system for distributing an executing an application on a wireless device, 
comprising: 

a central server operable to receive the application and developer 
identification, to assign a permission associated with the application and to transmit 
the application information to the wireless device; 

a server operable to certify the application satisfies a predefined criterion; and 
the wireless device operable to receive the application and developer 
identification, and to evaluate the assigned permission. 

25. The system of claim 24, wherein the central server is further operable to 
transmit the application to the wireless device using a modification detection 
technique. 
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[c26] 26. The system of claim 24, wherein the central server is further operable to 

transmit the permission to the wireless device using a modification detection 
technique. 

fc27] 27. The system of claim 24, wherein the server is operable to certify the 

application is the central server. 

[c2S] 28. The system of claim 24, wherein the wireless device is operable to evaluate 

the assigned permission using a rule stored in the wireless device. 

[c29] 29. A system for distributing and executing an application on a wireless device, 

comprising: 

means for receiving the application and identification information; 
means for assigning a permission to the application; 

means for transmitting the application, the permission and the identification 
information to the device using a modification detection technique; 

means for determining whether the application was modified during 
transmission; 

means for storing a rule on the device; 

means for determining if the application may be process using the permission 
and the rule; and 

means for removing the application from the device. 

[c30] 30. A method of processing application distribution, comprising the steps of: 

receiving the application and identification information; 
certifying the application satisfies a predetermined criterion; 
assigning a permission to the application; 

transmitting the application, the permission and the identification information 
to the device using a modification detection technique; and 

initiating a request to remove the application from a device. 
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[c31] 31. The method of claim 30, further comprising the step of: 

evaluating the received application and identification information to determine 
the identity of a developer of the application. 

[c32] 32. The method of claim 30, wherein the modification detection technique uses a 

digital signature. 

[c33] 33. A method of processing application distribution, comprising the steps of: 

receiving the application and identification information; 
assigning a permission to the application; and 

transmitting the application, the permission and the identification information 
to the device using a modification detection technique. 

[c34] 34. The method of claim 33 further comprising the step of initiating a request to 

remove the application from a device. 

[c35] 35 The method of claim 33 further comprising the step of certifying the 

application satisfies a predetermined criterion. 

[c36] 36. The method of claim 33, further comprising the step of: 

evaluating the received application and identification information to determine 
the identity of a developer of the application. 

[c371 37. The method of claim 33, wherein the modification detection technique uses a 

digital signature. 

[c3S] 38. A system for application distribution, comprising: 

a central server operable to receive application and identity information, 
assign a permission, and transmit the application using a modification detection 
technique; and 

a network connected to the central server to receive the application. 
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39. The system of claim 38, wherein the central server is further operable to 
certify the application satisfies a predefined criterion. 

40. A system for application distribution, comprising: 

means for receiving the application and identification information; 
means for certifying the application satisfies a predetermined criterion; 
means for assigning a permission to the application; and 
means for transmitting the application, the permission and the identification 
information to the device using a modification detection technique. 

41 . A computer-readable medium containing computer-executable instructions for 
distributing applications, comprising the steps of: 

receiving the application and identification information; 
certifying the application satisfies a predetermined criterion; 
assigning a permission to the application; and 

transmitting the application, the permission and the identification information 
to the device using a modification detection technique. 

42. A method for executing an application on a wireless device, comprising the 
steps of: 

storing a rule to evaluate a permission; 

receiving information comprising the application, the permission and an 
identification using a modification detection technique; 

receiving a request to execute the application on the wireless device; 
evaluating the received information to determine if the received information 
was modified; 

in the event the received information was not modified, evaluating the 
permission associated with the application; and 

in the event the permission is granted, executing the application. 



[c43] 43. The method of claim 42, wherein the modification detection technique uses a 

digital signature. 
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[c44] 44, The method of claim 42 further comprising the step of monitoring the 

execution of the application to determine if an improper operation is attempted. 

[c45] 45. The method of claim 42 further comprising the step of removing the 

application from the wireless device. 

[c46] 46. A method for executing an application on a wireless device, comprising the 

steps of: 

storing a rule to evaluate a permission; 

receiving infomiation comprising the application, the permission and an 
identification using a modification detection technique; 

receiving a request to execute the application on the wireless device; and 
evaluating the permission associated with an application; and 
in the event the information was modified, removing the application from the 
wireless device. 

[c47] 47. The method of claim 46, further comprising the steps of: 

in the event the received information was not modified, evaluating the 
permission associated with the application; and 

in the event the permission is granted, executing the application. 

[c48] 48. The method of claim 46, wherein the modification detection technique uses a 

digital signature. 

[c49] 49. The method of claim 46 further comprising the step of monitoring the 

execution of the application to determine if an improper operation is attempted. 

[c50] 50. The method of claim 46 further comprising the step of removing the 

application from the wireless device in the event the improper operation is attempted. 

[c51] 51. A wireless device for executing an application, comprising; 
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a input to receive an application and a permission; 
a rule contained in storage to evaluate the permission; and 
a key contained in storage to evaluate a digital signature, 
wherein the wireless device is operable to execute the application upon evaluation of 
the permission and digital signature. 

[c52] 52. A wireless device for executing an application, comprising: 

means for storing a rule to evaluate a permission; 

means for receiving information comprising the application, the permission 
and an identification using a modification detection technique; 

means for receiving a request to execute the application on the wireless 

device; 

means for evaluating the received information to determine if the received 
information was modified; 

means for, in the event the received information was not modified, evaluating 
the permission associated with the application; and 

means for, in the event the permission is granted, executing the application. 

[c53] 53. A computer-readable medium containing computer-executable instructions for 

distributing applications, comprising the steps of: 
storing a rule to evaluate a permission; 

receiving information comprising the application, the permission and an 
identification using a modification detection technique; 

receiving a request to execute the application on the wireless device; 
evaluating the received information to determine if the received information 
was modified; 

in the event the received information was not modified, evaluating the 
permission associated with the application; and 

in the event the permission is granted, executing the application. 
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